Role-based access control (RBAC) is a technique for controlling access to a computer system or network. In an organization's computer system, each user is assigned a role or function (hereinafter “role”). User access rights or permissions to perform tasks within the computer system are assigned to the roles. RBAC thus provides a framework for assigning user access rights and permissions based on the roles, and not directly based on the identity of the users per se.
In a conventional RBAC implementation, however, there is no correlation between an assigned role in the computer system and a real-world legal authority to perform an action on behalf of the organization. A user may occupy a role X that electronically permits him to perform a task Y in the computer system but there is nothing in a conventional RBAC implementation to guarantee that the performance of task Y by the user in role X actually is authorized and/or that it has any legal effect.
While electronic signatures may cryptographically provide identification and non-repudiation mechanisms, there is no way to ascertain that an electronic signature, or other electronic transaction or digital act performed by a user occupying a given role is actually legally authorized. The legal authority of the user occupying a given role has to date been overlooked by RBAC systems.
This issue has implications not only in terms of internal corporate governance but also in the realm of e-commerce, especially in an international e-commerce transaction between distant organizations in which one user of a first organization may not be able to readily ascertain that another user of a second organization actually has authority to bind the second organization.
One e-commerce solution for role-based authorization is disclosed in U.S. Patent Application Publication 2001/0021928 (Ludwig et al.) entitled “Method for Inter-Enterprise Role-Based Authorization” that uses role certificates to enable one user from a first organization to authenticate another user from a second organization. However, this technology does not purport to link a role to a real-world legal authority to act on behalf of an organization.
Such a solution is disclosed in the present specification and the appended drawings.
It will be noted that throughout the appended drawings, like features are identified by like reference numerals.